3.0.2

CVSS 5.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

fontsplugin

NVD

Published: 2021-09-20

Updated: 2024-11-21

Summary

The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.

Vulnerable Configurations

Part	Description	Count
Application	Fontsplugin Fontsplugin Fonts - Fontsplugin Fonts 3.0.0 Fontsplugin Fonts 3.0.1 Fontsplugin Fonts 3.0.2	4

References

https://wpscan.com/vulnerability/dd2b3f22-5e8b-41cf-bcb8-d2e673e1d21e
https://wpscan.com/vulnerability/dd2b3f22-5e8b-41cf-bcb8-d2e673e1d21e